Skip to content

Commit fb3125e

Browse files
author
lushirong.77
committed
docs(secret-scanning): document Agents secrets type
1 parent c9bd77a commit fb3125e

2 files changed

Lines changed: 52 additions & 2 deletions

File tree

.pr_body.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
## Summary
2+
- add an `Agents secrets` section to the `Understanding GitHub secret types` reference page
3+
- include scope, access, and restrictions for Copilot cloud agent secrets
4+
- link to the dedicated cloud-agent setup guide from Further reading
5+
6+
Fixes #44913

content/code-security/reference/secret-security/secret-types.md

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ category:
1818

1919
## How {% data variables.product.github %} stores secrets
2020

21-
{% data variables.product.github %} uses [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to encrypt secrets. A secret is encrypted before reaching {% data variables.product.github %} and remains encrypted until it's used by {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_actions %}, or {% data variables.product.prodname_codespaces %}.
21+
{% data variables.product.github %} uses [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to encrypt secrets. A secret is encrypted before reaching {% data variables.product.github %} and remains encrypted until it's used by {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, or {% data variables.copilot.copilot_cloud_agent %}.
2222

2323
{% endif %}
2424

@@ -118,6 +118,49 @@ Organization-level secrets:
118118
* {% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.github %} secrets that are printed to workflow logs.
119119
* You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. Secrets are limited to 48 KB in size. For more information, see [Limits for secrets](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#limits-for-secrets).
120120

121+
{% ifversion copilot %}
122+
123+
## Agents secrets
124+
125+
Agents secrets are used to store credentials and sensitive information for {% data variables.copilot.copilot_cloud_agent %}.
126+
127+
### Usage
128+
129+
Agents secrets are exposed to {% data variables.copilot.copilot_cloud_agent %} as environment variables in its ephemeral development environment. They can be used by scripts and tools that the agent runs, including `copilot-setup-steps.yml`. For MCP server configuration, only Agents secrets whose names begin with `COPILOT_MCP_` are available to the MCP configuration.
130+
131+
### Scope
132+
133+
You can define Agents secrets at:
134+
135+
* Repository level
136+
* Organization level
137+
138+
Agents secrets can be shared across repositories when set at the organization-level. You can use access policies to control which repositories can access the secret.
139+
140+
### Access permissions
141+
142+
Agents secrets are only available to {% data variables.copilot.copilot_cloud_agent %}.
143+
144+
{% data variables.copilot.copilot_cloud_agent %} does not have access to {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, or {% data variables.product.prodname_dependabot %} secrets. Likewise, {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, and {% data variables.product.prodname_dependabot %} cannot access Agents secrets.
145+
146+
#### User access permissions
147+
148+
Repository-level secrets:
149+
* Users with **admin access** to the repository can create and manage Agents secrets.
150+
* Users with **collaborator access** to the repository can use the secret through {% data variables.copilot.copilot_cloud_agent %}.
151+
152+
Organization-level secrets:
153+
* **Organization owners** can create and manage Agents secrets.
154+
* Users with **collaborator access** to the repositories with access to each secret can use the secret through {% data variables.copilot.copilot_cloud_agent %}.
155+
156+
### Limitations and restrictions
157+
158+
* Agents secrets are only passed to {% data variables.copilot.copilot_cloud_agent %}.
159+
* Secret values are masked in {% data variables.copilot.copilot_cloud_agent %} session logs.
160+
* For secrets you want to pass to MCP servers, the secret name must begin with `COPILOT_MCP_`.
161+
162+
{% endif %}
163+
121164
{% ifversion fpt or ghec %}
122165

123166
## {% data variables.product.prodname_codespaces %} secrets
@@ -169,6 +212,7 @@ Organization-level secrets:
169212
## Further reading
170213

171214
* [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)
172-
* [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions){% ifversion fpt or ghec %}
215+
* [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions){% ifversion copilot %}
216+
* [AUTOTITLE](/copilot/how-tos/copilot-on-github/customize-copilot/customize-cloud-agent/configure-secrets-and-variables){% endif %}{% ifversion fpt or ghec %}
173217
* [AUTOTITLE](/codespaces/managing-codespaces-for-your-organization/managing-development-environment-secrets-for-your-repository-or-organization)
174218
* [AUTOTITLE](/codespaces/managing-your-codespaces/managing-your-account-specific-secrets-for-github-codespaces){% endif %}

0 commit comments

Comments
 (0)